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Abstract 

We show that using character sum estimates due to H. Iwaniec leads to an im- 
provement of recent results about the distribution and finding RSA moduli M = pi, 
where p and I are primes, with prescribed bit patterns. We are now able to specify 
about n bits instead of about n/2 bits as in the previous work. We also show that 
the same result of H. Iwaniec can be used to obtain an unconditional version of a 
combinatorial result of W. de Launey and D. Gordon that was originally derived 
under the Extended Riemann Hypothesis. 
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1 Introduction 



For an integer n, we use V n to denote the set of primes p with 2 n_1 < p < 2 n . 
Let M. n be the set of RSA moduli M = p£ that are products of two distinct 
primes p, £ G V n . 

Thus each M G M. n has either 2n — 1 or 2n bits which we number from the 
right to the left. 

Motivated by some cryptographic applications (in particular by the idea of 
reducing the size of the public key), various heuristic algorithms have been 
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given to construct moduli M G M. n having a sufficiently long specified bit 
pattern have been given in [T][TT] . Unfortunately, giving a rigorous analysis of 
these algorithms require a very strong form of Linnik's Theorem, which far 
exceeds our current state of knowledge. 

A different algorithm was proposed in [TO]. Certainly this algorithm is likely 
to produce moduli having shorter prescribed bit patterns than those of (TJTTj . 
However, using exponential sums, this algorithm has been rigorously analysed 
and shown to output in expected polynomial time a desired modulus M G M. n 
with about n/2 prescribed bits. 

Here we use the bound of character sums of H. Iwaniec [5] (see also [2|3] and 
references therein) instead of bounds on exponential sums. This allows us to 
show that in fact the same algorithm can be used to generate in expected 
polynomial time a desired RSA modulus M G M n with about n prescribed 
bits. 

Our result immediately yields an improvement Theorem 5 in [TU], producing 
RSA moduli M G M. n with with at least (3/2 + o(l))n zero bits. As in [10] we 
remark that such moduli may be useful for the Paillier crypto system, see [9J, 
where one computes Mth powers. 

We also outline some possible applications of the same ideas to generating 
sparse RSA moduli and smooth numbers (that is, numbers free of large prime 
factors) with a prescribed bit pattern, hence improving some other results 

of unj. 

We end up with an observation that the results of [5] can also be used to 
eliminate the assumption of the Extended Riemann Hypothesis from a result 
of W. de Launey and D. Gordon [1] 

Throughout the paper, V denotes the set of primes and In z denotes the natural 
logarithm of z > 0. 



2 RSA Moduli with Prescribed Bit Patterns 

We recall the algorithm of [10] to generate an RSA modulus M having a 
desired bit pattern on certain positions. 

Given a binary string o of length m, we denote by Ai n .m{o~) the set consisting 
of M G Ai n such that the bits of M at the positions n — 1, . . . , n — m form 
the binary string a. 
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Algorithm RSA — Modulus(n, m, a) 

Step 1 Choose an odd integer k in the interval 1 < k < 2 n ~ m and a prime pGP n 

uniformly at random. 
Step 2 Compute the positive integer r < 2 n which satisfies the congruence 

pr = 2 n - m s + k (mod 2"), 

where s is the integer whose binary representation coincides with a. 
Step 3 Test whether 2 n ~ l < r, r ^ p and also test r for primality, if r is prime 
then put I = r and output M = pi, otherwise go to Step 1 and start a 
new round of the algorithm. 

Certainly, if Algorithm RSA-MoDULUS(n, m, a) terminates it outputs M e 
M ntm (a). 



Theorem 1 For m 



n — n 



3/4 



lnnj and any binary string a of length m, 



Algorithm RSA-MoDULUS(n, m, a) terminates in expected polynomial time. 

Proof. As in [10], for an integer < k < 2 n ~ m — 1, we denote by N(k) the 
number of solutions p, I G V n to the congruence pi = 2 n ~ m s + k (mod 2 n ) 
where binary representation of the integer s is given by the string a (certainly 
N(k) = for every even k). 

Let X be the set of multiplicative characters modulo 2™ (see [61 Chapter 3] for 
a background on characters and character sums). 

We also use X* to denote the set of nonprincipal characters. We recall the 
orthogonality relation 

Jo, ifti^l (mod2«), 

x&x [2 n ~\ if« = l (mod2 n ), 

see [BJ Section 3.2]. 
By dH), we have 



N(k) = -lj E E X {(2 n - m s - k)p 



where the inverse values p 1 and £ 1 are taken modulo 2 n . 

Changing the order of summation and separating the term (#V n ) 2 2~ n+1 cor- 
responding to the principal character we obtain 
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N(k) = (#v n ) 2 2- n+1 + 7 ± T j2x {2 n ~ m s + k) E x (p-'r 1 



Therefore 



where 



2 n — m ~]_ 



E N(k)= { *^+A, 



A = ^T E E X (2— s + k) ( E X (p- 1 
Using the triangle inequality, we conclude that 



fc=0 



t^n—m ^ 



(2) 



}n-l 



2 n— m i 

E E x(2- m s 

2 n— m j 



<^T E 



A E 



E x(2 n - m S + fc 

fc=0 

— m i 

E x(2"- m S + fc 



k=0 



E x (p- 1 ) 
E x(p) 



since the values of x{p) an d X (p X ) are conjugated over (D. 
We now recall that by [SI Lemma 6], 



2 n— m ^ 



fc=0 



E X (2 n ~ m s + k) < 2 n 

provided that 

which is satisfied for our choice of m 
Therefore 



" m n" 2 



2 n— m ^> 2 n3 ^ 4 i nra 



XG** 



E x(p) 



< 



E 



E x(p) 



2 m n 
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By ([[]) we see that inner sum vanishes unless p = I (mod 2 n ), which is equiv- 
alent to p = £. Therefore 

nn-mjL'p 

|A| « p*. (3) 

rr 

Since #P n 3> 2 n n _1 , substituting the bound (02) in (E]) we derive 

2 n " m -l / nrjj \2 



E ^) = (i + o(n- 1 ; 



fc=0 



This is a full analogue of the asymptotic formula (4) in [10] (except that the 
value of m is now different). Accordingly, the rest of the proof is identical to 
that of Theorem 4 in [101 ■ □ 



As we have remarked, Theorem [T] immediately yields the following improve- 
ment Theorem 5 in [TO] which can be have some application for for the Paillier 
cryptosystem (see [9]). 

Corollary 1 For m = n — n 3//4 Inn and the m- dimensional zero string 
•d = (0, . . . , 0) of length m, Algorithm RSA-MoDULUS(n, m, $) terminates 
in expected polynomial time and with probability 1 + o(l) outputs a modulus 
M G M. n with at most (1/2 + o(l))n nonzero bits. 



3 Other Applications 



One can use a similar approach to improve Theorem 6 of pU] which guarantees 
the existence of certain smooth numbers with prescribed bit patterns. 

Moreover, without any substantial changes, an analogue of Theorem [1] can 
be obtained for the values of the Euler function <p(pl) = (p — 1)(£ — 1). For 
example, one can prove that for any r, there are r-bit integers R such that 
the binary expansion of <p(R) contains (3/4 + o(l))r nonzero digits. This can 
be extended to g-ary expansions for any base g. 

Finally, we conclude with noticing that the results of [3] and [3] have direct 
implications on the distribution of primes in arithmetic progressions modulo 
2 n . P. X. Gallagher [3] proves that if q = p r (p odd) and if q ■ x 3//5+e < h < x, 
then 

h 

ip(x + h,q,a) -i/j(x,q,a) — (4) 

whenever (a, q) = 1, where, as usual, 

ij(x,q,a)= Yl A ( k ) 

k<x 
k=a (mod q) 
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and 

if k is a power of a prime p, 
otherwise, 



A(k) 




is the von Mangoldt function, see (6J Chapter 5.9]. The exponent 3/5 came 
from appealing to a zero-density estimate of H. L. Montgomery [8]. For techni- 
cal reasons, P. X. Gallagher [3] excludes consideration of the case p = 2, but his 
proof can be easily modified to this case. The details of this modification (and 
much more) have been given by H. Iwaniec [5]. By using a zero-density result 
of Huxley [I] in conjunction with [5], one sees that (Jl]) is true with q = 2 r and 
q ■ x 7 / 12+e < h < x. This result can be used in place of the Extended Riemann 
Hypothesis in the paper of W. de Launey and D. Gordon jl]. In particular, in 
the last undisplayed equation on page 184 of [TJ, one may take y = 
In turn, this yields an unconditional version of Theorem 1.2 of [1], a 
a weaker error term: 

r(iV )>^ + 0(iV 113 / 132+0 «) 

for any N = (mod 4), where r(N) is the largest R for which there is a R x N 
Hadamard matrix (that is, ±1 matrix H with HH T = NIr, where Ir is the 
R x R identity matrix). The exponent 113/132 arises as 

a 7 113 

+ T7T 



n 7/12+ £ j _ 

beit with 



1 + a 12 132' 

where, as in [4], we take a = 3/8. In the conditional result of W. de Launey 
and D. Gordon [I], the 7/12 term is replaced by 1/2, thus giving the exponent 

7 113 1 
22 ~ 132 ~ 12' 
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